Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Category Archive: Uncategorized

Why you need to know about the new variant of Locky ransomware.

After infecting computers with recurring malicious email campaigns sent to random recipients in organizations from all over the world, Locky ransomware strikes again.

Locky’s persistence is already famous, as cyber criminals use it frequently to exploit vulnerabilities in outdated systems. The most recent campaign, which started late last night, uses a new extension called .lukitus and has been discovered by Rommel Joven. As expected, Internet users can get their files back, after paying a ransom required by attackers.

The malicious email arrives into users’ inboxes with the following subject lines:

< No Subject > or Emailing – CSI- [0-9] * _ MB_S_ [A-z0-9]

The email also includes zip or rar attachments with JS files. When these files are executed, they will download the payload from various malicious URLs, like the ones in the selection below (sanitized for your online safety):

http: // angel demon [.] com / jbYUF6D

http: // Antibody Services [.] net / jbYUF6D

http: // ttytreffdrorseder [.] net / of / jbYUF6D

http: // asliozturk [.] com / jbYUF6D

http: // antwerpiastamps [.] BE / jbYUF6D

This is another variation of the same attack, spotted yesterday as well:

To ensure that Locky can communicate with its underlying C&C servers unhindered, a DGA (Domain Generation Algorithm) is also used, which provides the following domains and many, many more (sanitized for your online safety):

http: // sorqjivpyfrwlo [.] Click / imageload.cgi

http: // dxeqiniexovy [.] org / imageload.cgi

http: // kokalgfsnepogq [.] ru / imageload.cgi

http: // kljidoejmiqx [.] org / imageload.cgi

http: // jcanepkjyu [.] biz / imageload.cgi

Once the files are downloaded and executed, they start scanning the user’s computer and encrypting system files, modifying their names with the following format:

After the encryption is done, Locky removes the downloaded executable, and shows a ransom note – having these names: lukitus.htm and lukitus.bmp – on users’ display on how they can pay it and get their files back.

This is how a message with the Locky Lukitus Ransom Note appears on an infected computer display:

Although there are a sum of decryption tools out there to unlock your data for free, this Locky Ransomware Lokitus variant remains still unbreakable with no possibility to decrypt .lukitus files for free.

Initially, VirusTotal showed that 7 of 53 antivirus solutions were detecting this malicious file at the time it was posted. After a new and recent analysis, more engines (20 of 53 antivirus products) also identify this threat.

Backup, backup and backup again! Make sure you have at least 2 backups of your important data on external sources such as a hard drive or somewhere located in the cloud (Google Drive, Dropbox, etc.). Thisguide shows how to do it.

Update, update and update again! Once again, we remind users to install all the latest updates for their apps installed on the device, including the operating system.

Do not open, download email (messages) or click on suspicious links received from unknown sources that could infect your device.

Make sure you have a security software product (antivirus) that is updated or use a proactive security product to block access to infected domains or servers.

Ransomware attacks are on the rise and continue to appear in different forms. Once again, we remind you about the importance of being proactive and taking all needed security measures to protect your sensitive data.

Amazon Echo devices older than 2017 can be physically hacked and turned into a ‘wiretap.’ Researchers urge caution when buying second-hand devices.

Amazon

A 9-year-old Massachusetts boy broke into his neighbor’s apartment, not once but three times, and made off with various goodies, including an iPhone and Amazon Echo. He might have gotten away with it except his neighbor had an audio recording of his voice thanks to Alexa. She told police she recognized her young neighbor’s voice, and according to The Gloucester Times, he now faces charges of breaking and entering and larceny.

Under Settings in the Alexa app, you can check out History like she did. By tapping on items in History, you can review what has been said to Alexa, hear the audio recordings and even individually delete those voice recordings. You can wipe all voice recordings at once via the Amazon app under Your Account>Manage Voice Recordings, then select Delete.

That would not work, however, if your Echo had been rooted and turned into a “wiretap.” That’s something security researcher Mark Barnes from MWR Labs was able to do.

The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering. Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device.

Unlikely to happen to your Echo, but be wary of buying second-hand versions

The fact that physical access is required makes it unlikely it will happen to your Echo. It also works only on 2015 and 2016 editions of Amazon Echo devices, as they had a rubber base that can be popped off to reveal 18 debug pads. Neither the 2017 Echo model, nor the Amazon Dot, are vulnerable.

If a knowledgeable attacker did have access to an older Echo, Barnes noted that rooting it is “trivial.” After rooting the Echo, the researchers wrote a script to continuously grab the raw microphone audio data.

Barnes called the physical access requirement a “major limitation.” The how-to is out there now, so maybe that should give you pause before you purchase a second-hand Echo.

Watch out for Echo devices in hotel rooms

It might also be a good idea to immediately hit the mute button on the top of any Echo found inside hotel rooms just in case it has been hacked to provide attackers 24/7 eavesdropping capabilities.

The devices being installed in hotel rooms is far from common, but when the Wynn Hotel in Las Vegas announced plans “to equip all 4,748 hotel rooms” with an Echo, the hotel said, “Alexa will be fully operational in all guest rooms by summer 2017.”

Amazon responded to the turn-Alexa-into-a-spy news by urging customers to “purchase Amazon devices from Amazon or a trusted retailer” and to “keep their software up to date.” It should be noted, however, that updated software would do nothing to prevent a hacked Echo from continuously listening in.

MWR Labs concluded:

The Amazon Echo does include a physical mute button that disables the microphone on the top of the device or can be turned off when sensitive information is being discussed (this is a hardwire mechanism and cannot be altered via software). Although the Echo brings about questions of privacy with its ‘always listening’ microphones, many of us walk around with trackable microphones in our pockets without a second thought.

Indeed, working from home seems like heresy if believe in the “collaborative, innovative workplace” idea, or (as I call it) the “let’s-force-everyone-to-work-in-an-office-that-looks-like-a-hotel-lobby-from-outer-space” management fad.

In his TED Talk, Bloom explains that work-from-home is potentially as powerful and innovative as the driverless car. And he’s dead serious.

As evidence, Bloom cites a Singapore company where half of the staff worked from home for four days a week while the other half came into the office five days a week.

The two-year study revealed that the employees who worked from home had a “massive, massive” (Bloom’s words) increase in productivity–almost equivalent to an additional workday–primarily because of fewer distractions and fewer pointless conversations.

The work-from-home employees also tended to remain in their jobs longer, thereby decreasing employee turnover, which (of course) drains management productivity and results in an expensive loss of skills and connections when an employee quits.

Finally, the work-from-home employees were happier and therefore healthier, thereby reducing sick days and absenteeism (as well as people coming into work with contagious colds and flu), all of which decreased the company’s overall health care expenses.

The experiment was so successful that the company instituted work-from-home throughout the company, which also (as a side benefit) allowed the company to grow without adding expensive office space.

These results echo a recent Gallup study showing that employees who work from home three to four days a week are far more likely (41 percent versus 30 percent) to “feel engaged” and far less likely (48 percent versus 55 percent) to feel “not engaged” than people who report to the office each day.

So there you have it. Companies that are forcing employees to come into their glitzy but noisy and distracting open-plan offices would be much better off if they instead let their employees work from home most of the time.

Are you using payment system over public Wi‑Fi?

Black Hat USA Security researchers say they have come up with two separate “attacks” against ApplePay, highlighting what they claim are weaknesses in the mobile payment method.

One of the attacks developed by the white hats, and presented at Black Hat USA yesterday, requires a jailbroken device to work, but the other assault does not.

In the first attack, say the researchers from Positive Technologies, hackers will initially need to infect a jailbroken device with malware. Having achieved this, they might then be able to intercept traffic en route to an Apple server, in this case payment data being added to the device’s account. Once hackers have succeeded in pushing malware with root privileges, then it’s game over (in most scenarios), claim the white hats.

The second attack can be performed against any device as hackers intercept and/or manipulate SSL transaction traffic without employing any sophisticated equipment or skills, they say. The attack involves replaying or tampering with transaction data: changing the amount or currency being paid, or changing the delivery details for the goods being ordered.

Timur Yunusov, head of banking security for Positive Technologies explained: “With wireless payments – PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay’s security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments.”

Although Apple’s approach might seem sound, Positive Technologies claimed it had nevertheless uncovered two potential avenues of attack. While one relies on the device being jailbroken – a practice frowned upon by security experts that is carried out by an estimated one in five users – another attack can target an unmodified iPhone or iPad, as Positive Technologies explained to El Reg.

The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].

Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.

As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.

“Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim’s phone,” according to Yunusov.

There are some limitations to the attack from the point of view of would-be cybercrooks. For one thing, the victim will get an advisory detailing the transaction as soon as it is made so they may block their card – although they could just dismiss the warning as an error. There is also the risk that the bank/merchant/payment gateway could identify and block suspicious transactions.

Positive Technology advises users to be vigilant when using ApplePay to purchase items online, particularly monitoring for the use of “https” or fraudulent websites, and to avoid making transactions in public Wi‑Fi environments where traffic might be easily snooped.

Positive Technology’s Yunusov presented his research at Black Hat USA yesterday. The security firm confirmed it had informed Apple of its research beforehand.

Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed.

Facebook has a new home for original video content produced exclusively for it by partners, who will earn 55 percent of ad break revenue while Facebook keeps 45 percent. The “Watch” tab and several dozen original shows will start rolling out to a small group of U.S. users tomorrow on mobile, desktop and Facebook’s TV apps.

By hosting original programming, Facebook could boost ad revenue and give people a reason to frequently return to the News Feed for content they can’t get anywhere else.

Watch features personalized recommendations of live and recorded shows to watch, plus categories like “Most Talked About,” “What’s Making People Laugh” and “Shows Your Friends Are Watching.” Publishers can also share their shows to the News Feed to help people discover them. A Watchlist feature lets you subscribe to updates on new episodes of your favorite shows. Fans can connect with each other and creators through a new feature that links shows to Groups.

Facebook says it plans to roll out access to Watch to more users and more content creators soon, starting with the rest of the U.S. before expanding internationally. Users with access will see a TV-shaped Watch button in the bottom navigation bar of Facebook’s main app that opens the new video hub.

Facebook admits that “we’ve also funded some shows” as examples, but notes that these are only a small percentage of all the available shows. “We want any publisher/creator who is interested to be able to create a show in the future,” a Facebook spokesperson tells me. “So there will be hundreds of shows at launch, and we’ll hopefully scale to thousands.”

Business Insider reported some leaked details about the redesign earlier today, but pegged the launch of original programming as starting August 28th, when the shows actually will begin to roll out August 11th.

What Facebook’s First Shows Look Like

Facebook’s shows will run the gamut from live event coverage to reality TV to scripted programs. “More and more people are coming to Facebook in order to watch video” Facebook’s director of video product Daniel Danker tells me. “When they come with that in mind, we want to make a place for them where they can find that video, connect with the creators and publishers they love, and know they won’t miss out if there’s a new episode from one of those creators.”

Here’s a list of some of the original programming that will be available on Watch:

Tastemade’s Kitchen Little – This cooking show sees kids watch a how-to recipe video, then instruct a pro chef how to make the dish with comedic results

Major League Baseball – The MLB will broadcast one game a week live on Facebook

Major League Baseball “12:25 Live” – A comedic look at baseball with help from the fans

Mike Rowe – Rowe finds people who’ve done great things for their community and gives them a special experience in return

Nas Daily – Vlogger Nas (Correction: Not the rapper) makes videos with his biggest friends each day

Gabby Bernstein – Motivational speaker and author answers fans’ life questions in live and recorded segments

A&E’s “Bae or Bail:” – Reality TV game show where couples face their fears and see who runs

All Def Digital’s “Inside the Office” – A look inside the office life at Russel Simmons’ hip-hop media empire

Billboard’s “How it Went Down” – A documentary series of musicians sharing crazy stories

David Lopez’s “My Social Media Life” – A reality show about the social media star’s life

NBA’s “WNBA All-Access” – A behind the scenes show with women’s basketball stars

The Dodo’s “Comeback Kids: Animal Edition” features determined animals facing difficult conditions or challenges meet people who refuse to give up on them.

Tommy Mac – A master woodworker gives live tutorials on how to make furniture

What’s clearly absent is the type of longer-form scripted dramas and comedies people are used to watching on television. Instead, there are plenty of mini-documentaries, reality shows, and sports coverage.

Facebook CEO Mark Zuckerberg writes that “We believe it’s possible to rethink a lot of experiences through the lens of building community — including watching video. Watching a show doesn’t have to be passive . . . You’ll be able to chat and connect with people during an episode, and join groups with people who like the same shows afterwards to build community.”

When you open Watch, you’ll be able to scroll through a long list of categories of shows to view. Alternatively, you can either swipe over or arrive from a notification about a new episode to view the Watch list of all the latest shows released by creators you follow. Once you’ve opened an episode you’ll see all the details about it, with one tab for joining a live comment reel with other viewers, and an “Up Next” tab displaying what you’ll view after the current episode if you prefer a glazed-eyes lean-back experience.

There’s no specific content restrictions on swearing or violence beyond Facebook’s existing community standards, but Facebook will monitor for shows that get flagged.

Publishers can choose to insert ad breaks if they want to earn money off their shows, though the guidelines on where and how long they can be are still being finalized. If publishers want to give away their content, they don’t have to show ads. Another option is to do product placed or branded content, in which case the creator has to tag the sponsor paying them for transparency. Shows will have their own dedicated Facebook Pages, and creators can set up special show Groups where fans can ask questions and geek out together.

Beyond the Watch tab, you can also discover shows through the News Feed if a publisher you follow posts an episode or friends are talking about it. That gives Facebook the opportunity to artificially boost the presence of shows in News Feed to build a bigger audience for the new content initiative.

Evolving From Spontaneous To Deliberate Viewing

Facebook first launched its dedicated video tab in April 2016, but it only hosted the more generic News Feed videos people were already seeing from Pages and friends. Now Facebook is in the business of funding original content, initially through direct payments, though it seeks to switch entirely to a revenue-share model in the future to make its original programming effort sustainable.

Facebook’s competitors like YouTube and Snapchat have already experimented with creating original video content. YouTube Red funds several original series, giving bigger production budgets to some of its biggest stars. Snapchat has tried making its own shows in-house, but now focuses on signing deals with partners like TV studios to get fresh, vertical video content into its Discover section.

Facebook’s benefit is that Watch is cross-platform, allowing people to view videos from all their devices, while also being a daily destination for 1.32 billion users. It’s already become a powerhouse in serendipitous video discovery via the News Feed, and Watch will surely provide enough suggestions to get people hooked on shows they weren’t expecting.

But through premium original programming, Facebook is also trying to become a home for deliberate video consumption where people come to view a specific show. While there are already plenty of reasons to visit Facebook, original shows give people a reason to spend longer staring at their screens. If it can drive enough viewers to these shows thanks to its 2 billion total users, Facebook could offer significant revenue-share payouts, attracting better and better content creators.

Your Dick Tracy routine with the Apple Watch may soon get a little more convincing.

Apple aims to release a new watch as soon as this fall that directly connects to cellular networks, enabling it to make phone calls, surf the internet and send messages by itself, according to a report.

Current versions of the Apple Watch have to be connected to an iPhone in order to perform flashy functions like streaming music, showing directions on a map and sending text messages.

Improving the battery life of the Apple Watch has been a focus in the upgrade efforts, according to the Bloomberg report.

The new model under development also may have new software features such as additional Siri-enabled functions, the ability to connect to gym equipment, display news stories and send payments.

Apple will buy the LTE chips from Intel, which has been vying with Qualcomm for chip sales to Apple, according to the report. With Qualcomm and Apple locked in a legal dispute, Intel has been chosen as the chip maker for the new watch, the report said.

Big carriers including Verizon, AT&T, Sprint, and T-Mobile US, plan to sell the new product with wireless plans, Bloomberg sources said. Apple is still hammering out the details of the release of the new device, which may have to wait until next year.

“Red Team” members were fired as they stepped off stage after presenting internal attack tool.

Enlarge / Meatpistol was supposed to be released at DEFCON. But Salesforce pulled the plug—and fired two security employees for presenting about it.

At Defcon in Las Vegas last month, word rapidly spread that two speakers—members of Salesforce’s internal “red team”—had been fired by a senior executive from Salesforce “as they left the stage.” Those two speakers, who presented under their Twitter handles, were Josh “FuzzyNop” Schwartz, Salesforce’s director of offensive security, and John Cramb, a senior offensive security engineer.

Schwartz and Cramb were presenting the details of their tool, called Meatpistol. It’s a “modular malware implant framework” similar in intent to the Metasploit toolkit used by many penetration testers, except that Meatpistol is not a library of common exploits, and it is not intended for penetration testing. The tool was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code.

“Meatpistol is a framework for red teams to create better implants,” and an “offensive infrastructure automation tool,” Schwartz and Cramb explained in their presentation. It is intended to automate the grunt work of deploying new malware attacks for multiple types of targets. Rather than testing for common vulnerabilities as penetration testers often do, the internal red team Schwartz led until last month had the job of constantly probing and attacking Salesforce’s systems. It even stole data like real adversaries, operating with nearly unrestricted rules of engagement internally.

Meatpistol, while still in its early stages of development, had already improved the efficiency of the Salesforce red team. “Malware implant creation used to take days,” Schwartz said during his presentation. “Now it takes seconds,” he said, cutting “weeks off our operation time.”

Schwartz had reportedly gotten prior approval to speak at Defcon from Salesforce management, and he was working toward getting approval to open-source Meatpistol (which is currently in a very rough “alpha” state but was at use internally at Salesforce). But at the last moment, Salesforce’s management team had a change of heart, and it was trying to get the talk pulled. As ZDNet’s Zach Whittaker reports, a Salesforce executive sent a text message to Schwartz and Cramb an hour before their scheduled talk, telling the pair not to announce the public release of the code.

According to one source Ars spoke with at Defcon, Schwartz turned off his phone prior to the presentation so that he couldn’t be told directly not to speak.

Schwartz told the audience during the presentation that he would push to get the tool published as open source because he felt that it could only get better through community contributions. Following the presentation, Cramb posted to Twitter:

There’s no indication that Salesforce is taking any further action against Schwartz and Cramb. The Electronic Frontier Foundation’s deputy executive director, Kurt Opsahl, confirmed to Ars in an e-mail that the EFF is “representing Josh Schwartz and John Cramb with respect to their talk at Defcon. However, we are not aware of any charges or complaints, whether filed or pending, nor is there any reason to believe that any would be warranted.”

The man who wrote the book on password management has a confession to make: He blew it.

Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly.

The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.

Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.

“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.

In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments. Paul Grassi, an NIST standards-and-technology adviser who led the two-year-long do-over, said the group thought at the outset the document would require only a light edit.

“We ended up starting from scratch,” Mr. Grassi said.

The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security—they “actually had a negative impact on usability,” he said.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Amy LaMere had long suspected she was wasting her time with the hour a month it takes to keep track of the hundreds of passwords she has to juggle for her job as a client-resources manager with a trade-show-display company in Minneapolis. “The rules make it harder for you to remember what your password is,” she said. “Then you have to reset it and it just makes it take longer.”

When informed that password advice is changing, however, she wasn’t outraged. Instead, she said it just made her feel better. “I’m right,” she said of the previous rules. “It just doesn’t make sense.”

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.

“They were appalled I even asked,” Mr. Burr said.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.

The published guidelines were the best he could do.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Mr. Burr.

Nevertheless, NIST’s password advice became widely influential, not just within the federal government but on corporate networks, websites and mobile devices.

Collectively, humans spend the equivalent of more than 1,300 years each day typing passwords, according to Cormac Herley, a principal researcher at Microsoft Corp. His company once followed the Burr code for passwords, but no more.

The biggest argument against Mr. Burr’s prescriptions: they haven’t worked well. “It just drives people bananas and they don’t pick good passwords no matter what you do,” Mr. Burr said.

The past decade has seen a data-breach boom. Hackers have stolen and posted online hundreds of millions of passwords from companies such as MySpace, LinkedIn and Gawker Media.

Those postings have given researchers the data they need to take a hard look at how people’s passwords fare against the tools hackers used to break them. Their conclusion? While we may think our passwords are clever, they aren’t. We tend to gravitate toward the same old combinations over and over.

Back in 2003, Mr. Burr didn’t have the data to understand this phenomenon. Today, it is obvious to people like Lorrie Faith Cranor. After years of studying terrible concoctions, she put 500 of the most commonly used passwords on a blue and purple shift dress she made and wore to a 2015 White House cybersecurity summit at Stanford University.

Adorned with the world’s most common passwords—princess, monkey, iloveyou and others that are unprintable here—the dress has prompted careful study, and embarrassment.

“I’ve had people look at it and they’re like, ‘Oh, I’d better go change my passwords,’ ” said Ms. Cranor, a professor at Carnegie Mellon University.

The NIST rules were supposed to give us randomness. Instead they spawned a generation of widely used and goofy looking passwords such as Pa$$w0rd or Monkey1! “It’s not really random if you and 10,000 other people are doing it,” said Mr. Herley, the Microsoft researcher.

Mr. Grassi, who rewrote NIST’s new password guidelines, thinks his former colleague Mr. Burr is being a little bit hard on himself over his 2003 advice.

“He wrote a security document that held up for 10 to 15 years,” Mr. Grassi said. “I only hope to be able to have a document hold up that long.”

Microsoft’s August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server.

Microsoft released its August 2017 Patch Tuesday fixes, which targeted 48 vulnerabilities across various Microsoft products, including 15 critical patches and the first two fixes for the Windows subsystem for Linux.

One patch for the Windows 10 Linux subsystem remediated a denial of service flaw (CVE-2017-8627) that Microsoft only listed as “important” not critical, but this issue was publicly disclosed so experts said it should be moved up the priority scale.

Both patches were for the Windows 10 Linux subsystem, but Microsoft also just announced Insider Builds of Windows Server could begin using the Linux subsystem and it is unclear if the vulnerabilities affect Windows Server as well.

Bobby McKeown, senior manager of engineering at Rapid7, said enterprises should be careful when enabling the Windows 10 Linux subsystem.

“It is likely to increase the attack surface, given that it is going to be harder to control what applications are installed on a machine. Also, the combination of two different systems, which have access to each other’s file systems, is likely to increase possible attack vectors,” McKeown told SearchSecurity. “This is not default for normal users, however, with more and more adoption, it will become a greater target for attacks, and possible disclosure of vulnerabilities will potentially raise the profile of these types of vulnerabilities.”

Dustin Childs, communications manager for Zero Day Initiative, said Microsoft has done well to minimize potential risks associated with using the Windows 10 Linux subsystem.

“While the addition of a new, interactive shell does increase the attack surface on a Windows system, the fact that [the Windows 10 Linux subsystem] cannot run persistent Linux services, such as daemons, jobs, etc. as background tasks limits this threat,” Childs told SearchSecurity. “Any time a new feature is introduced, we know researchers take a close look at it to see if they find anything interesting. After this initial spike, it’s likely this component will receive a similar amount of attention as other, similar components.”

Other patches to prioritize

Beyond the Windows 10 Linux subsystem patches, experts roundly agreed the highest priority patch was CVE-2017-8620, a critical vulnerability in the Windows Search service which could allow an attacker to take control of the target system and “install programs; view, change, or delete data; or create new accounts with full user rights,” according to Microsoft.

Jimmy Graham, director of product management at Qualys, said this was the third time Microsoft has needed to patch the Windows Search service.

“As with the others, this vulnerability can be exploited remotely via [server message block (SMB)] to take complete control of a system, and can impact both servers and workstations,” Graham wrote in a blog post. “While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.”

Childs agreed this was the most critical bug of the month.

“As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” Childs wrote in his analysis. “That’s pretty close to wormable and just the sort of thing malware writers look for in a bug. Also, let this be your monthly reminder to disable SMBv1.”

“This could allow for an attacker on a guest OS to escape and execute code on the underlying hypervisor,” Childs wrote. “Back at the 2017 Pwn2Own competition, a Hyper-V escape like this one would have earned the contestant $100,000 USD. Although we didn’t have anyone attempt this product this year, it’s safe to say we’ll likely get some attempts should the category return.”

It’s no secret that the Level-1 SOC analyst has been continually vilified by the security industry as being ineffective against the modern threat. It’s really not the analysts’ fault because we are, in fact, expecting way too much from them. To understand this dynamic better, let’s examine the following six reasons why the job of monitoring a console for incidents in a SOC is so difficult to get right.

1. The demand for SOC analysts far surpasses the available talent. And, as early career security professionals, the retention rate is very low — typically 18-24 months — because their market value continues to rise very rapidly. That puts most companies in a disadvantageous position of constantly hiring and retraining their front-line defenders, which costs in valuable time, money and resources.

2. Today’s event volume levels boggle the imagination from even a few years ago. Using the traditional SIEM funnel, event volume is reduced to much less than 1% of the total to match the SOC analyst scarcity, or those available to look at the data. So, it’s no surprise incidents are missed due to looking at much smaller sample sizes than should be to ensure modern threats are identified.

3. The SIEM funnel is usually just a list of heuristics (correlation rules) that describe common attack scenarios. Some are even as bad as “multiple failed logins.” These static rules are an engineering headache to maintain and can only capture well understood or commodity attack patterns, leaving the real bad guys free to roam our networks.

4. Level-1 SOC analysts also bring a host of management challenges. I’ve witnessed episodes of incredibly poor judgment displayed especially on a less than fully supervised night shift. This includes various types of non-professional behavior, to carrying guns to work to show their friends. Experienced management is needed to help train and shape junior analysts into seasoned security pros. But that level of management talent is hard to staff on shift.

5. Lack of knowledge when it comes to critical business context is also another factor to consider. There are many complex business models in this modern economy. That means security analysts need to have an understanding of fundamental business operations across a wide array of enterprise disciplines. Understanding what a critical attack might look like across ecommerce, integrated supply chain logistics, finance, regulations, and more becomes a necessary skill.

6. Finally, the attacker ecosystem has fully professionalized into a “dark market.” The dark market is capable of a stunning variety of advanced attacks that leverage “living off the land” tools, making them very difficult to detect by traditional security practices. We are pitting our youngest new hires against their criminal best and losing, which is no surprise.

From our point of view at Respond Software, the industry is overdue for a different, more effective approach. And, we shouldn’t blame the Level-1 SOC analyst for failing in the face of an almost impossible task. Analysts monitoring consoles to identify attackers is not the way we are going to get ahead of the bad guys in the future.